21 - FTP

Banner Grabbing

Telnet

telnet 10.0.0.3 21

Netcat

nc -n 10.0.0.3 21

NSE Script

nmap -sV -script banner -p21 -Pn 10.0.0.3

FTP

ftp 10.0.0.3

FTP Exploitation

Note: During the port scanning phase Nmap’s script scan (-sC), can be enabled to check for FTP Bounce and Anonymous Login.

Try anonymous login using anonymous:anonymous credentials.

ftp 10.0.0.3
…
Name (10.0.0.3:kali): anonymous
331 Please specify the password.
Password: [anonymous]
230 Login successful.

List all files in order.

ftp> ls -lat
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
…
226 Directory send OK.

FTP Browser Client

Due to its insecure nature, FTP support is being dropped by Firefox and Google Chrome.

Try accessing ftp://user:pass@10.0.0.3 from your browser. If not credentials provided anonymous:anonymous is assumed.

Brute Forcing

Se Brute Forcing SSH

SecLists includes a handy list of FTP default credentials.

Configuration files

It is important to examine these config files:

ftpusers
ftp.conf
proftpd.conf

Other

Binary and ASCII

Binary and ASCII files have to be uploading using the binary or ascii mode respectively, otherwise, the file will become corrupted. Use the corresponding command to switch between modes.

Download all files from FTP

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all

PreviousServices Exploitation Next25, 465, 587 - SMTP

Last updated 1 year ago